It’s not just TechCrunch saying it, a UK parliamentary science and technology committee has now warned the government needs to clarify the legal position around end-to-end encryption in its draft Investigatory Powers Bill (IP bill).
The government is hoping to pass the legislation, which expands intelligence and law enforcement agencies’ surveillance capabilities, by the end of this year. Critics have dubbed it a new ‘Snooper’s charter’ and there have been specific concerns about the implications for encryption — so the committee is just the latest to call for more clarity on the latter point.
Writing with recommendations in its report on the draft bill, the committee notes: “There is some confusion about how the draft Bill would affect end-to-end encrypted communications, where decryption might not be possible by a communications provider that had not added the original encryption.”
Home Secretary Theresa May was specifically queried on this point last month, by a joint select committee also scrutinizing the proposed legislation. That committee, which has held multiple evidence hearings and also accepted written submissions, is due to publish its report later this month.
May was grilled on whether the government wants companies to insert backdoors into services to afford access to the intelligence agencies. She denied this is the case but reiterated that it would be expecting companies to provide data in a “legible” form when served with a warrant — which, if end-to-end encryption has been properly implemented, would of course be impossible.
“What we are saying to companies… is that when a warrant is lawfully served on them there is an expectation that they will be able to take reasonable steps to ensure that they can comply with that warrant. i.e. that they can provide the information that is being requested under that lawful warrant in a form which is legible for the authorities,” May said.
The science and technology committee has rightly identified this fudge as a problem, writing in its recommendations that: “The Government should clarify and state clearly in the Codes of Practice that it will not be seeking unencrypted content in such cases, in line with the way existing legislation is currently applied.”
“In tightly prescribed circumstances, law enforcement and security services should be able to seek to obtain unencrypted data from communications service providers. They should only seek such information where it is clearly feasible, and reasonably practicable, and where its provision would be consistent with the right to privacy in UK and EU law. The obligations on potential providers of such data should be clarified in the proposed Codes of Practice to be published in draft alongside the Bill later this year,” it adds.
The committee is also generally unhappy with the various vague pieces of terminology used in the bill — ostensibly, says the government, to attempt to future proof the legislation — warning that ill-defined terms have led to “significant confusion on the part of communications service providers and others” as to the scope of the proposed legislation.
“Terms such as “telecommunications service”, “relevant communications data”, “communications content”, “equipment interference”, “technical feasibility” and “reasonably practicable” need to be clarified as a matter of urgency,” it writes.
“The Government should review the draft Bill to ensure that the obligations it is creating on industry are both clear and proportionate. Furthermore, the proposed draft Codes of Practice should include the helpful, detailed examples that the Home Office have provided to us.”
The Home Office has evidently provided tighter definitions for some of the terminology used in the legislation to the committee — such as what is covered by Internet Connection Records (ICRs): aka the web browsing data the IP Bill will require ISPs to collect and store for a year. But such information should be visibly appended to the bill, the committee argues.
It is also concerned about the economic and operational impact of the bill on comms businesses in the UK, such as from the requirement they store ICR data, and again flags up problems with a lack of clarity on costs and compliance requirements.
“The Government should reduce uncertainty about compliance burdens for businesses, proportionality and about cost recovery, by explicitly addressing such issues in the Codes of Practice,” it writes.
“These Codes of Practice should clearly address the requirements for protecting ICR data that will have to be retained and managed by CSPs, along with the security standards that will have to be applied to keep them safe. Businesses based in the UK and those serving UK customers should not be placed at a commercial disadvantage compared with their overseas competitors.”